b'                       U.S. Department of Agriculture\n\n                          Office of Inspector General\n                           Financial & IT Operations\n\n\n\n\n             Audit Report\n\n National Information Technology Center\nGeneral Controls Review \xe2\x80\x93 Fiscal Year 2005\n\n\n\n\n                              Report No. 88501-2-FM\n                                    September 2005\n\x0c                 UNITED STATES DEPARTMENT OF AGRICULTURE\n                            OFFICE OF INSPECTOR GENERAL\n\n                                 Washington D.C. 20250\n\n\nSeptember 21, 2005\n\n\n\nREPLY TO\nATTN OF:       88501-2-FM\n\nTO:            David Combs\n               Acting Chief Information Officer\n               Office of the Chief Information Officer\n\nTHRU:          Sherry Linkins\n               Office of the Chief Information Officer\n               Information Resources Management\n\nFROM:          Robert W. Young             /s/\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       National Information Technology Center General Controls\n               Review-Fiscal Year 2005\n\n\nThis report presents the results of our audit of the internal control structure at the\nOffice of the Chief Information Officer/National Information Technology Center as\nof August 31, 2005. The audit was conducted in accordance with \xe2\x80\x9cGovernment\nAuditing Standards\xe2\x80\x9d issued by the Comptroller General of the United States\nincluding American Institute of Certified Public Accountants Professional\nStandards AU Sections 316, 319, and 324 as amended by applicable statements on\nauditing standards. The report contains an unqualified opinion on the internal\ncontrol structure and contains no recommendations. Therefore, no response from\nyour office is necessary.\n\nWe appreciate the courtesies and cooperation extended during our audit.\n\x0cExecutive Summary\nNational Information Technology Center General Controls Review - Fiscal Year 2005\n\nResults in Brief                 This report presents the results of our audit of the Office of the Chief\n                                 Information      Officer/National     Information      Technology      Center\xe2\x80\x99s\n                                 (OCIO/NITC) internal control structure as of August 31, 2005. Our review\n                                 was conducted in accordance with \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d issued\n                                 by the Comptroller General of the United States including American Institute\n                                 of Certified Public Accountants Professional Standards AU Sections 316,\n                                 319, and 324 as amended by applicable statements on auditing standards.\n                                 The center has taken significant actions to mitigate the weaknesses we\n                                 identified in prior audit reports. And while minor control issues are still\n                                 being mitigated in the midrange environment, our report contains an\n                                 unqualified opinion on the center\xe2\x80\x99s internal control structure as a whole.\n\n                                 Our objectives were to perform testing necessary to express an opinion about\n                                 (1) whether the control objectives and techniques in exhibit A for the\n                                 U.S. Department of Agriculture\xe2\x80\x99s OCIO/NITC present fairly, in all material\n                                 respects, the aspects of OCIO/NITC\xe2\x80\x99s policies and procedures in place and\n                                 operating effectiveness during the period October 1, 2004 through August 31,\n                                 2005; (2) whether this control structure of policies and procedures was\n                                 suitably designed to provide reasonable assurance that the specified control\n                                 objectives were complied with satisfactorily; and (3) the operating\n                                 effectiveness of the specified control structure policies and procedures in\n                                 achieving specified control objectives. In 2004, the U.S. Government\n                                 Accountability Office (GAO) issued its report on internal controls testing\n                                 within the Department. 1 We conducted testing to determine the status of\n                                 corrective action on the issues identified in that report.\n\n                                 Our audit disclosed that the control objectives and techniques identified in\n                                 exhibit A present fairly, in all material respects, the relevant aspects of\n                                 OCIO/NITC\xe2\x80\x99s control environment taken as a whole. Also, in our opinion,\n                                 the policies and procedures, as described, are suitably designed to provide\n                                 reasonable assurance that the control objectives would be achieved and\n                                 operating effectively.\n\nRecommendation\nIn Brief                         Because of the actions OCIO/NITC has initiated and planned, we do not\n                                 make any new recommendations in this report.\n\n\n\n\n1\n    GAO-04-154, \xe2\x80\x9cFurther Efforts Needed to Address Serious Weaknesses at USDA,\xe2\x80\x9d dated January 2004.\nUSDA/OIG-A/88501-2-FM                                                                                    Page i\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nReport of the Office of Inspector General ............................................................................................ 1\n\nExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls.............................................. 3\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                                     Page ii\n\x0c                         UNITED STATES DEPARTMENT OF AGRICULTURE\n                                     OFFICE OF INSPECTOR GENERAL\n\n                                          Washington D.C. 20250\n\n\n\nReport of the Office of Inspector General\nTo:    David Combs\n       Acting Chief Information Officer\n       Office of the Chief Information Officer\n\nWe have examined the control objectives and techniques identified in exhibit A for the\nU.S. Department of Agriculture\xe2\x80\x99s (USDA), Office of the Chief Information Officer/National\nInformation Technology Center (OCIO/NITC). Our examination included procedures to obtain\nreasonable assurance about (1) whether the control objectives and techniques of the USDA\xe2\x80\x99s\nOCIO/NITC present fairly, in all material respects, the aspects of OCIO/NITC\xe2\x80\x99s policies and\nprocedures in place and operating effectiveness during the period October 1, 2004 through\nAugust 31, 2005; (2) whether the control structure of policies and procedures was suitably designed to\nprovide reasonable assurance that the specified control objectives were complied with satisfactorily;\nand (3) the operating effectiveness of the specified control structure policies and procedures in\nachieving specified control objectives. The control objectives were specified by OCIO/NITC.\n\nOur audit was conducted in accordance with \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants and included those procedures necessary in the circumstances to obtain a\nreasonable basis for rendering our opinion.\n\nIn our opinion, the control objectives and techniques identified in exhibit A of this report present fairly,\nin all material respects, the relevant aspects of OCIO/NITC. Also, in our opinion, the policies and\nprocedures, as described, are suitably designed to provide reasonable assurance that the remaining\ncontrol objectives would be achieved if the described policies and procedures were complied with\nsatisfactorily.\n\nAlso, in our opinion, the policies and procedures that were tested, as described in the exhibit, were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the\ncontrol objectives specified were achieved during the period from October 1, 2004 through\nAugust 31, 2005. The scope of our engagement did not include tests to determine whether control\nobjectives not listed in the exhibit were achieved; accordingly, we express no opinion on achievement\nof control objectives not included in the exhibit.\n\nThe relative effectiveness and significance of specific controls at OCIO/NITC and their effect on\nassessments of control risk at user organizations are dependent on their interaction with the controls\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                               Page 1\n\x0cand other factors present at individual user organizations. We have performed no procedures to\nevaluate the effectiveness of controls at individual user organizations.\n\nThe control objectives and techniques at OCIO/NITC are as of August 31, 2005, and information about\ntests of the operating effectiveness of specific controls covers the period from October 1, 2004,\nthrough August 31, 2005. Any projections of such information to the future are subject to the risk that,\nbecause of change, they may no longer portray the controls in existence. The potential effectiveness of\nspecific controls at OCIO/NITC is subject to inherent limitations and, accordingly, errors or\nirregularities may occur and not be detected. The projection of any conclusions, based on our findings,\nto future periods is subject to the risk that changes may alter the validity of such conclusions.\nFurthermore, the accuracy and reliability of data processed by OCIO/NITC and the resultant report\nultimately rests with the user agency and any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of OCIO/NITC, its users, and their auditors.\n\n/s/\n\nROBERT W. YOUNG\nAssistant Inspector General\n for Audit\n\nAugust 31, 2005\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                            Page 2\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                     Exhibit A \xe2\x80\x93 Page 1 of 10\n\nThe objectives of our examination were to perform testing necessary to express an opinion about (1)\nwhether the control objectives and techniques identified in this exhibit present fairly, in all material\nrespects, the aspects of OCIO/NITC\xe2\x80\x99s policies and procedures in place for the period\nOctober 1, 2004 through August 31, 2005; (2) whether the control structure of policies and procedures\nwas suitably designed to provide reasonable assurance that the specified control objectives were\ncomplied with satisfactorily; and (3) the operating effectiveness of the specified control structure\npolicies and procedures in achieving specified control objectives.\n\nThis report is intended to provide users of OCIO/NITC with information about the control structure\npolicies and procedures at OCIO/NITC that may affect the processing of user organizations\xe2\x80\x99\ntransactions and also to provide users with information about the operating effectiveness of the policies\nand procedures that were tested. This report, when combined with an understanding and assessment of\nthe internal control structure policies and procedures at user organizations, is intended to assist user\nauditors in (1) planning the audit of user organizations\xe2\x80\x99 financial statements and (2) in assessing\ncontrol risk for assertions in user organizations\xe2\x80\x99 financial statements that may be affected by policies\nand procedures at OCIO/NITC.\n\nOur testing of OCIO/NITC\xe2\x80\x99s control structure policies and procedures was restricted to the control\nobjectives and the related policies and procedures listed in the matrices in this exhibit. Our testing was\nnot intended to apply to any other procedures described in OCIO/NITC\xe2\x80\x99s Service Center Description\nand Internal Controls Framework that were not included in the aforementioned matrices or to\nprocedures that may be in effect at user organizations.\n\nOur review was performed through inquiry of key OCIO/NITC personnel, observation of activities,\nexamination of relevant documentation and procedures, and tests of controls. We also followed up on\nknown control weaknesses identified in prior Office of Inspector General (OIG) audits. We performed\nsuch tests as we considered necessary to evaluate whether the operating and control procedures\ndescribed by OCIO/NITC and the extent of compliance with them are sufficient to provide reasonable,\nbut not absolute, assurance that control objectives are achieved.\n\nThe description of the tests of operating effectiveness and the results of those tests are included in the\nfollowing section of this report.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                               Page 3\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 2 of 10\n     CONTROL                        CONTROL\n     OBJECTIVE                     TECHNIQUES                         TESTS PERFORMED                     CONCLUSION\n1.   Define and             a.   OCIO/NITC relies on             We reviewed OCIO/NITC              The control structure policies\n     communicate                 Department policy, in most      policies and procedures to         and procedures were suitably\n     OCIO/NITC                   matters, and provides hard      ensure:                            designed to achieve the control\n     organizational              copy and electronic access.                                        objective. Further,\n     structure, policies,   b.   When Department policy          1)    Departmental policies had    OCIO/NITC is in the process\n     and procedures.             does not provide adequate             been taken into account.     of updating all their security\n                                 guidance on administrative      2)    They are revised, updated,   policies based on a detailed\n                                 issues, OCIO/NITC issues              and changed when             prioritization schedule.\n                                 internal Administrative               necessary.\n                                 Directives, which define        3)    They were documented         We found the overall\n                                 administrative policies and           and appropriate.             organizational structure was\n                                 procedures.                                                        suitably designed to achieve the\n                            c.   Policy manuals, procedure       We reviewed the organization       control objective, and was\n                                 manuals, and Administrative     structure of OCIO/NITC             operating effectively.\n                                 Directives are made             divisions to ensure they were\n                                 available in electronic and     documented.\n                                 hard copy form, and are used\n                                 by personnel.\n                            d.   The OCIO/NITC\n                                 organizational structure and\n                                 the responsibilities of\n                                 OCIO/NITC divisions are\n                                 well documented and\n                                 understood.\n                            e.   Division responsibilities,\n                                 services, and procedures are\n                                 documented.\n                            f.   Adequate supervisory and\n                                 approval levels exist in each\n                                 OCIO/NITC functional area.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                             Page 4\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 3 of 10\n     CONTROL                      CONTROL\n     OBJECTIVE                   TECHNIQUES                      TESTS PERFORMED                         CONCLUSION\n2.   Segregate duties    a.   OCIO/NITC is not                 We reviewed OCIO/NITC               The control structure policies\n     between the              responsible for Agency user      level of service for various        and procedures were suitably\n     specialized staff        operations or user,              midrange servers/customers.         designed to achieve the control\n     as much as               application, or data controls.                                       objective and were operating\n     practical.          b.   The responsibilities of the      We tested duties performed by       effectively.\n                              OCIO/NITC staff and of the       OCIO/NITC system\n                              users of OCIO/NITC               administrators on both NITC         We identified one exception to\n                              services are clearly             owned and customer midrange         adequate segregation of duties.\n                              differentiated.                  systems.                            Specifically, responsibility for\n                         c.   Separate duties are defined                                          review of the midrange\n                              for the various technical        We reviewed standard                platform logs rested with the\n                              specialties.                     operating practices and             midrange system administrators\n                         d.   OCIO/NITC personnel are          directives for policies and         and was not segregated to an\n                              prohibited from originating,     procedures related to               independent branch, such as\n                              changing, or correcting user     assignment of duties to NITC        OCIO/NITC security staff, for\n                              input or data, unless so         personnel.                          review. However, OCIO/NITC\n                              requested in writing.                                                has contracted for\n                         e.   Separation of duty is            We reviewed access to critical      implementation of a host-based\n                              enforced through access          operating system software data      intrusion detection system that\n                              rules within the security        sets and compared settings to       will consolidate midrange\n                              software whenever practical      best practice standards.            platform logs into one file\n                              and consistent with user                                             viewable only by the\n                              requirements.                    We reviewed user                    OCIO/NITC security staff.\n                                                               identifications (ID) with special   This system, once fully\n                                                               access privileges. This is a        implemented, will mitigate this\n                                                               followup issue from our NITC        vulnerability.\n                                                               General Controls Review \xe2\x80\x93\n                                                               FISCAL YEAR 2004 (Audit\n                                                               Report No. 88501-1-FM).\n                                                               NITC has effectively mitigated\n                                                               this weakness.\n\n                                                               We reviewed system settings\n                                                               and user rights on selected\n                                                               midrange environment servers.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                            Page 5\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 4 of 10\n     CONTROL                       CONTROL\n     OBJECTIVE                    TECHNIQUES                      TESTS PERFORMED                        CONCLUSION\n3.   Apply appropriate    a.   OCIO/NITC management             We reviewed policies and           The control structure policies\n     controls to the           and contracting agency           procedures to ensure that          and procedures were suitably\n     system                    development involvement is       departmental policies were         designed to achieve the control\n     development life          required prior to the design,    considered. We reviewed            objective and were operating\n     cycle.                    development, testing, and        internal policies and procedures   effectively. Further,\n                               conversion of new or             to ensure that they are revised,   OCIO/NITC is in the process\n                               modified application             updated, and changed when          of updating all their security\n                               systems.                         necessary and were properly        policies based on a detailed\n                          b.   The modification or              implemented.                       prioritization schedule.\n                               installation of systems\n                               software requires the            We reviewed midrange\n                               approval of OCIO/NITC            software and firewall changes\n                               management.                      to determine if changes\n                          c.   Applications are well            received documented\n                               documented as they are           authorization, review, and\n                               being designed.                  approval before\n                          d.   Formal, standard control         implementation. This is a\n                               practices are followed in        followup issue from our NITC\n                               application design and           General Controls Review \xe2\x80\x93\n                               development, and are             FISCAL YEAR 2004 (Audit\n                               reviewed for proper              Report No. 88501-1-FM).\n                               implementation.                  NITC has initiated and planned\n                          e.   Customer approval of all         actions to mitigate this\n                               report layouts, input formats,   weakness.\n                               control reports, etc., is\n                               required.                        We reviewed software changes\n                                                                to determine if testing is\n                                                                performed before changes are\n                                                                made to the midrange systems\n                                                                and firewalls. This is a\n                                                                followup issue from our NITC\n                                                                General Controls Review \xe2\x80\x93\n                                                                FISCAL YEAR 2004 (Audit\n                                                                Report No. 88501-1-FM).\n                                                                NITC has initiated and planned\n                                                                actions to mitigate this\n                                                                weakness.\n4.   Provide              a.   Conversion procedures            We reviewed policies and           The control structure policies\n     reasonable                ensure proper cutoffs and        procedures to ensure that          and procedures were suitably\n     assurance that            conversion of data files.        departmental policies were         designed to achieve the control\n     new or modified      b.   Testing is performed using       considered. We reviewed            objective and were operating\n     applications              only test data.                  internal policies and procedures   effectively. Further,\n     systems and data     c.   Test results are documented      to ensure that they are revised,   OCIO/NITC is in the process\n     files are properly        and approved by the              updated, and changed when          of updating all their security\n     converted and             contracting customer before      necessary and were properly        policies based on a detailed\n     implemented.              acceptance of a new system.      implemented.                       prioritization schedule.\n                          d.   Customers are involved in\n                               preparing the test data.\n                          e.   As applicable, testing is\n                               performed on all interrelated\n                               systems to evaluate the\n                               integrity of those systems.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                           Page 6\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                       Exhibit A \xe2\x80\x93 Page 5 of 10\n     CONTROL                       CONTROL\n     OBJECTIVE                    TECHNIQUES                      TESTS PERFORMED                       CONCLUSION\n5.   Provide              a.   Authorization and approval       We reviewed software change       The control structure policies\n     reasonable                is required before               policies to determine if          and procedures were suitably\n     assurance that all        modifications are made to        adequate controls existed over    designed to achieve the control\n     software changes          the network, midrange            modifications to the network,     objective and were operating\n     are appropriately         server, office                   midrange servers, and             effectively.\n     reviewed and              administration/local area        mainframe operating systems.\n     authorized.               network and mainframe            This is a followup issue from\n                               operating systems, or            our NITC General Controls\n                               software applications.           Review \xe2\x80\x93 FISCAL YEAR 2004\n                          b.   Operational personnel are        (Audit Report No. 88501-1-\n                               not involved in changes to       FM). NITC has effectively\n                               the operating system             mitigated this weakness.\n                               (mainframe or midrange\n                               server) or user applications.    We reviewed OCIO/NITC\xe2\x80\x99s\n                          c.   There is thorough                information management\n                               supervision and review of all    system records to determine if\n                               changes.                         midrange software and firewall\n                          d.   Problems and change              changes were documented,\n                               requests to the operating        approved before modification,\n                               system and software              and tracked to provide an audit\n                               controlled by the                trail. This is a followup issue\n                               OCIO/NITC are tracked            from our NITC General\n                               using manual and automated       Controls Review \xe2\x80\x93 FISCAL\n                               systems that provides an         YEAR 2004 (Audit Report No.\n                               audit trail of system changes.   88501-1-FM). NITC has\n                          e.   Operating systems and            effectively mitigated this\n                               systems software changes         weakness.\n                               are tested to ensure that they\n                               operate properly and provide     We reviewed change records to\n                               necessary functionality.         determine if midrange and\n                          f.   Modified or new software is      firewall changes were tested\n                               not installed until reviewed     before being added to the\n                               by appropriate approving         production environment. This\n                               officials.                       is a follow up issue from our\n                                                                NITC General Controls Review\n                                                                \xe2\x80\x93 FISCAL YEAR 2004 (Audit\n                                                                Report No. 88501-1-FM).\n                                                                NITC has effectively mitigated\n                                                                this weakness.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                          Page 7\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 6 of 10\n     CONTROL                        CONTROL\n     OBJECTIVE                     TECHNIQUES                      TESTS PERFORMED                       CONCLUSION\n6.   Conduct the           a.   Document current                 We reviewed OCIO/NITC\xe2\x80\x99s           The control structure policies\n     planning activities        OCIO/NITC controls, and          internal controls framework       and procedures were suitably\n     needed to provide          identify required new            and evaluated OCIO/NITC\xe2\x80\x99s         designed to achieve the control\n     reasonable                 controls.                        Disaster Recovery Plan. This      objective and were operating\n     assurance that the    b.   To the degree possible, plan     is a followup issue from our      effectively.\n     OCIO/NITC will             how OCIO/NITC will meet          NITC General Controls Review\n     meet functional            future Information System        \xe2\x80\x93 FISCAL YEAR 2004 (Audit\n     and control                requirements.                    Report No. 88501-1-FM).\n     requirements.         c.   Ensure that sufficient           NITC has effectively mitigated\n                                capacity exists to meet peak     this weakness.\n                                demand.\n                                                                 We interviewed OCIO/NITC\n                                                                 personnel to determine future\n                                                                 plans for securing various\n                                                                 OCIO/NITC platforms.\n7.   Access to the         a.   Software system specialists      We reviewed system logging        The control structure policies\n     operating system,          are prohibited from              policies and procedures.          and procedures were suitably\n     associated                                                                                    designed to achieve the control\n                                initializing the operating\n     software, and                                               We reviewed change                objective. and were operating\n     documentation is           system (except in the            management policies and           effectively.\n     restricted to              midrange environment where       procedures, and recently\n     authorized                 system administrators will       completed their information       No written policies and\n     personnel.                 initialize the operating         management records.               procedures exist outlining\n                                system).                                                           midrange system logs that are\n                                                                 We reviewed policies and          to be reviewed or what actions\n                           b.   Operational personnel are\n                                                                 procedures for special system     to take for various security\n                                prohibited from making           privileges. We reviewed user      violations.\n                                modifications to the             IDs with these accesses. We\n                                operating system and             interviewed OCIO/NITC             Access to midrange servers\n                                software. Office                 security staff to determine how   were logged. However, as\n                                administration/local area        these user IDs are monitored.     discussed in Control Objective\n                                network is administered per      We determined if forms were       2, responsibility for review of\n                                                                 completed for user IDs with       the midrange platform logs\n                                memorandum of\n                                                                 high-level system privileges.     rested with the midrange\n                                understanding and security                                         system administrators. See\n                                staff oversight.                 We attempted to review written    conclusion section for Control\n                           c.   Automated and manual             access authorizations for         Object 2 for further\n                                procedures are used to track     persons with system               information.\n                                all significant mainframe        administrator duties in the\n                                                                 midrange environment.             Written access authorizations\n                                operating system and\n                                                                                                   did not exist for system\n                                software modifications, as                                         administrators in the midrange\n                                well as other significant                                          environment. However,\n                                changes to other                                                   OCIO/NITC immediately\n                                OCIO/NITC infrastructure                                           drafted a policy to control\n                                components.                                                        access and has taken steps to\n                           d.   System privileges that                                             identify and restrict access to\n                                bypass normal system                                               the midrange systems thereby\n                                controls are allowed only                                          mitigating these vulnerabilities.\n                                when necessary and\n                                requested by the appropriate                                       Special access privilege\n                                supervisor in writing, and are                                     policies had been updated and\n                                logged and/or closely                                              user IDs with special access\n                                monitored.                                                         privileges had been limited.\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                             Page 8\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 7 of 10\n     CONTROL                      CONTROL\n     OBJECTIVE                   TECHNIQUES                       TESTS PERFORMED                        CONCLUSION\n8.   Provide             a.   The procedures to be              We reviewed critical data sets     The control structure policies\n     reasonable               followed by technicians and       to determine if user IDs           and procedures were suitably\n     assurance that           librarians are thoroughly         accessing these data sets were     designed to achieve the control\n     operations staff         documented.                       being logged.                      objective and were operating\n     operates            b.   Access to resources and data                                         effectively.\n     automated                files is limited by security      We reviewed system\n     equipment in             software to those required to     configuration in the midrange      Access to midrange servers\n     accordance with          do their work.                    environment to determine if        were logged. However, as\n     the management      c.   On most USDA systems,             logging is maintained on the\n                                                                                                   discussed in Control Objective\n     criteria.                critical and repetitive           servers. This is a followup\n                              operations to maintain            issue from our NITC General        2, responsibility for review of\n                              systems are automated using       Controls Review \xe2\x80\x93 FISCAL           the midrange platform logs\n                              scheduling services and the       YEAR 2004 (Audit Report No.        rested with the midrange\n                              mainframe operating system.       88501-1-FM). NITC has              system administrators.\n                         c.   Technician and librarian job      initiated and planned actions to\n                              responsibilities are defined      mitigate this weakness.\n                              in their position descriptions.\n                         d.   The Daily Log/Shift Review\n                              is used to document and\n                              track operational events.\n9.   Provide             a.   Access to the operations area     We reviewed and observed           The control structure policies\n     reasonable               and office is physically          access to critical resources and   and procedures were suitably\n     assurance that           restricted through the use of     the use of guards, key badges,     designed to achieve the control\n     equipment is used        a key badge system. The           and biometric devices utilized     objective.\n     by authorized            door system uses a proximity      to control access to restricted\n     persons following        reader biometric fingerprint      areas.\n     prescribed               to prevent unauthorized\n     procedures.              access. Access to the             Reviewed documentation that\n                              operations area is further        NITC recertified individuals\n                              restricted through the use of     who require access to sensitive\n                              a double door access point.       areas based on job function.\n                         b.   Policies and procedures\n                              ensure that access to the         Reviewed physical access to\n                              operations area is highly         consoles to ensure access\n                              restricted. This includes         limited to only those\n                              midrange server activities.       individuals that require it to\n                         c.   Guards protect the NITC           perform their job.\n                              operations and office area 24\n                              hours per day, 7 days a\n                              week.\n                         d.   Continuously monitors NITC\n                              access control points and\n                              operational floor space\n                              through the use of differing\n                              video surveillance\n                              monitoring angles and alarm\n                              systems.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                            Page 9\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                      Exhibit A \xe2\x80\x93 Page 8 of 10\n  CONTROL                     CONTROL\n  OBJECTIVE                  TECHNIQUES                        TESTS PERFORMED                         CONCLUSION\n10. USDA: Provide    a.   Interactive and batch access      We reviewed related policies and     The control structure policies\n    reasonable            to resources and data files is    procedures and security software     and procedures were suitably\n    assurance that        controlled through                access controls over inactive user   designed to achieve the control\n    only approved         management controls and the       IDs. This is a followup issue        objective and were operating\n    users have            use of the security package.      from our NITC General Controls       effectively.\n    access to        b.   Access to sensitive regions       Review \xe2\x80\x93 FISCAL YEAR 2004\n    OCIO/NITC,            and transactions is restricted.   (Audit Report No. 88501-1-FM).\n    and that they    c.   OCIO/NITC, on a monthly           NITC has effectively mitigated\n    are accessing         basis, suspends or deletes        this weakness.\n    and processing        logon IDs that have been\n    only within           inactive for a designated         We reviewed user IDs that have\n    approved              period of time                    not been used for an extended\n    boundaries.      d.   Security software is used to      period of time and password\n                          control user logon-ID and         settings to ensure adequate\n                          passwords.                        controls have been implemented\n                     e.   The OCIO/NITC creates             over user IDs and passwords.\n                          only those login\n                          identifications requested by      We reviewed related policies and\n                          an agency security officer.       procedures and security software\n                     f.   All new logon IDs are             access controls over special\n                          created in suspend status.        privilege user ID.\n                          Agency security officers\n                          must unsuspend the logon ID       We reviewed policies and\n                          and change the unknown            procedures, reviewed firewall\n                          password before it is usable.     rules, and tested access controls\n                     g.   Special privileges must be        over firewalls.\n                          requested and approved by\n                          the appropriate Information       We reviewed system\n                          System Security Program           configurations to ensure settings\n                          Managers or management            did not allow excessive user\n                          officials.                        privileges. This is a followup\n                     h.   Firewalls and intrusion           issue from our NITC General\n                          detection control and detect      Controls Review \xe2\x80\x93 FISCAL\n                          activity.                         YEAR 2004 (Audit Report No.\n                                                            88501-1-FM). NITC has\n                                                            effectively mitigated this\n                                                            weakness.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                        Page 10\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                      Exhibit A \xe2\x80\x93 Page 9 of 10\n  CONTROL                       CONTROL\n  OBJECTIVE                    TECHNIQUES                      TESTS PERFORMED                         CONCLUSION\n11. Data files are     a.   OCIO/NITC is responsible        We performed testing in NITC\xe2\x80\x99s       The control structure policies\n    adequately              for back-up and recovery of     back-up procedures for the           and procedures were suitably\n    protected from          operating system software,      mainframe and firewalls. This is a   designed to achieve the control\n    unauthorized            which is completed on a         followup issue from our NITC         objective and were operating\n    modification or         fixed schedule. Customer        General Controls Review \xe2\x80\x93            effectively.\n    destruction.            agencies are responsible for    FISCAL YEAR 2004 (Audit\n                            back-up and recovery of         Report No. 88501-1-FM). NITC\n                            their applications and data.    has effectively mitigated this\n                            The back-up tapes are stored    weakness.\n                            at a secure off-site facility\n                            and can be retrieved in less    We reviewed the most current\n                            than 2 hours.                   Contingency/ Disaster Recovery\n                       b.   Agency security officers are    Plans for OCIO/NITC\n                            responsible for identifying     Infrastructure Support,\n                            critical user files. Users      Mainframe and General Support\n                            back up their applications      Systems. This is a followup issue\n                            and data on the schedule        from our NITC General Controls\n                            they deem appropriate on        Review \xe2\x80\x93 FISCAL YEAR 2004\n                            midrange server                 (Audit Report No. 88501-1-FM).\n                            environments, NITC system       NITC has effectively mitigated\n                            administrators rotate           this weakness.\n                            customer back-up tapes off\n                            site at customer request and\n                            use the mainframe as a\n                            supplemental back-up media\n                            through IBM\xe2\x80\x99s Tivoli\n                            Storage Manager.\n                       c.   Procedures are documented\n                            in the NITC Disaster\n                            Recovery Plans.\n12. Assess the         a.   Risk assessments are            We reviewed OCIO/NITC                The control structure policies\n    vulnerability of        performed on OCIO/NITC          Disaster Recovery Plans. This is     and procedures were suitably\n    OCIO/NITC to            systems.                        a followup issue from our NITC       designed to achieve the control\n    physical and       b.   A Contingency Plan for          General Controls Review \xe2\x80\x93            objective and were operating\n    other disasters,        Alternate Site Operations is    FISCAL YEAR 2004 (Audit              effectively.\n    and put in place        in place.                       Report No. 88501-1-FM). NITC\n    procedures for     c.   The OCIO/NITC facility is       has effectively mitigated this\n    maintaining             designed to survive             weakness.\n    essential               numerous physical disasters\n    operations after        with minimal damage.\n    such an            d.   The USDA Internet Access\n    occurrence.             network provides the\n                            physical medium for the\n                            OCIO/NITC wide area\n                            network.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                        Page 11\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                   Exhibit A \xe2\x80\x93 Page 10 of 10\n  CONTROL                     CONTROL\n  OBJECTIVE                  TECHNIQUES                       TESTS PERFORMED                         CONCLUSION\n13. Evaluate and     a.   Vulnerabilities are assessed     We interviewed OCIO/NITC             The control structure policies\n    substantiate          on a regular basis through       officials to determine if all        and procedures were suitably\n    information           risk assessments,                network devices were periodically    designed to achieve the control\n    technology            vulnerability assessments,       scanned. This is a followup issue    objective and were operating\n    controls on a         and security testing.            from our NITC General Controls       effectively.\n    regular basis.   b.   Develop and periodically test    Review \xe2\x80\x93 FISCAL YEAR 2004\n                          a plan that will allow           (Audit Report No. 88501-1-FM).       OCIO/NITC had updated their\n                          OCIO/NITC to recover             NITC has effectively mitigated       procedures to document all\n                          operating systems and            this weakness.                       changes to the firewall in\n                          software at the Alternate                                             INFOMAN records. However,\n                          Operations Site within 72        We obtained and reviewed scan        firewall rules implemented\n                          hours after disaster             reports of selected systems.         before NITC established its\n                          declaration.                                                          configuration management\n                                                           We interviewed OCIO/NITC             policy were not thoroughly\n                                                           security staff to determine the      documented. OCIO/NITC\n                                                           oversight of the security staff on   were in the process of\n                                                           the midrange environment. This       implementing a commercially\n                                                           is a followup issue from our         available software product that\n                                                           NITC General Controls Review \xe2\x80\x93       would correct this\n                                                           FISCAL YEAR 2004 (Audit              vulnerability.\n                                                           Report No. 88501-1-FM). NITC\n                                                           has implemented and planned          Network devices were scanned\n                                                           actions to mitigate this weakness.   routinely.\n\n                                                           We reviewed OCIO/NITC\n                                                           Disaster Recovery Plans.\n\n                                                           We reviewed firewall rules to\n                                                           ensure National Institute of\n                                                           Standards and Technology and\n                                                           OCIO guidelines were being\n                                                           followed.\n14. Provide an       a.   Ensure that OCIO/NITC            We reviewed procedures for           The control structure policies\n    appropriate           staff and contractors have the   removing physical access from        and procedures were suitably\n    level of              appropriate level background     separated employees.                 designed to achieve the control\n    personnel             investigation.                                                        objective and were operating\n    security and     b.   Ensure terminated                We reviewed policies and             effectively.\n    security              employees are disallowed         procedures, reviewed firewall\n    awareness.            access to NITC and NITC          rules, and tested access controls    OCIO/NITC has adequate\n                          resources.                       over firewalls.                      controls over timely removal of\n                                                                                                unneeded user accounts.\n\n                                                                                                As discussed in Control\n                                                                                                Objective 10, OCIO/NITC had\n                                                                                                limited access to the firewalls.\n                                                                                                Only one inappropriate account\n                                                                                                was identified and OCIO\n                                                                                                immediately deleted the\n                                                                                                account.\n\n\n\n\nUSDA/OIG-A/88501-2-FM                                                                                                       Page 12\n\x0c'